CVE-2019-1010301
Description
jhead 3.03 is affected by: Buffer Overflow. The impact is: Denial of service. The component is: gpsinfo.c Line 151 ProcessGpsInfo(). The attack vector is: Open a specially crafted JPEG file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4- Range: <= 3.03
- osv-coords2 versionspkg:rpm/opensuse/jhead&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/jhead&distro=SUSE%20Package%20Hub%2015%20SP2
< 3.06.0.1-lp152.7.6.1+ 1 more
- (no CPE)range: < 3.06.0.1-lp152.7.6.1
- (no CPE)range: < 3.06.0.1-bp152.4.6.1
- jhead/jheadv5Range: 3.03
Patches
Vulnerability mechanics
Root cause
"Unbounded sprintf call in ProcessGpsInfo() writes oversized GPS coordinate values into a fixed-size stack buffer, causing a buffer overflow."
Attack vector
An attacker crafts a JPEG file with malicious EXIF GPS directory entries that contain an illegally large number format or an excessive number of components [ref_id=1]. When jhead processes the file, `ProcessGpsInfo()` at `gpsinfo.c:151` uses `sprintf` with a `%9.6f` format string to format GPS coordinate values into a stack buffer; a manipulated value (e.g., a huge floating-point number) overflows the 50-byte destination buffer, triggering a stack buffer overflow [ref_id=1]. The attack requires no authentication—only that the victim opens the crafted JPEG with jhead [ref_id=1].
Affected code
The vulnerability resides in `gpsinfo.c` at line 151 in the `ProcessGpsInfo()` function [ref_id=1]. The backtrace shows the crash occurs when `sprintf` writes GPS coordinate data into a fixed-size stack buffer without bounds checking [ref_id=1]. The function is called from `ProcessExifDir()` in `exif.c` (line 866) during JPEG EXIF parsing [ref_id=1][ref_id=2].
What the fix does
The Debian patch [ref_id=3] addresses a related heap-buffer overflow (CVE-2018-17088) by adding an integer overflow check before the offset+bytecount comparison: `if (OffsetVal > UINT32_MAX - ByteCount || OffsetVal+ByteCount > ExifLength)` [ref_id=3]. However, the stack buffer overflow at `gpsinfo.c:151` (CVE-2019-1010301) is not fixed by this patch; the advisory notes that the upstream author was unresponsive, and the Fedora/Ubuntu packages incorporated downstream patches [ref_id=1]. The fix for the stack overflow requires either using a bounded `snprintf` or validating the GPS value magnitude before formatting.
Preconditions
- inputVictim must run jhead on a specially crafted JPEG file
- authNo authentication or special privileges required
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3WVQTORTGQE56XXC6OVHQCSCUGABRMQZ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTGUHTJTQ6EKEPDXFSKZKVLUJC4UAPBQ/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202007-17mitrevendor-advisoryx_refsource_GENTOO
- bugs.launchpad.net/ubuntu/+source/jhead/+bug/1838251mitrex_refsource_CONFIRM
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- launchpadlibrarian.net/435112680/32_crash_in_gpsinfomitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00037.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.